Security

We are in the beginning of a ClearPass rollout, with HP 3800's as our access layer. We have a MAC list for phones, and those are working via mac-based auth. Right now there is a pilot of one port - mine - using ClearPass. My laptop is plugged into the back of the phone, and although I get online and placed in the correct vlan, there is no actual enforcement profile given in the Access Tracker. I am also seeing this in the logs:

 

2016-05-06 13:37:26,721	[RequestHandler-1-0x7fddcf5fa700 h=5059398 c=R00025174-01-572ce466] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2016-05-06 13:37:26,722	[RequestHandler-1-0x7fddcf5fa700 r=R00025174-01-572ce466 h=5059397 c=R00025174-01-572ce466] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2016-05-06 13:37:26,722	[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - ResultSet is empty
2016-05-06 13:37:26,722	[AuthReqThreadPool-10-0x7fde4cf44700 r=R00025174-01-572ce466 h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=Owner]

Any ideas what might be going on there? the only thing I could find on this site was to verify that the Insight Repository was an authorization source in the service, and it is.

 

TIA,

 

Russell

Can you post a screenshot of the expanded output tab? 

Sure thing. Just in case, here is also the relevant HP switch portion of the config:

 

aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
aaa authentication port-access eap-radius
aaa port-access gvrp-vlans
aaa port-access authenticator 1/9
aaa port-access authenticator 1/9 quiet-period 5
aaa port-access authenticator 1/9 logoff-period 862400
aaa port-access authenticator 1/9 client-limit 5
aaa port-access authenticator active
aaa port-access mac-based 1/9
aaa port-access mac-based 1/9 addr-limit 5
aaa port-access mac-based 1/9 logoff-period 862400
aaa port-access mac-based 1/9 quiet-period 30
aaa port-access mac-based addr-format single-dash
aaa port-access 1/9 mixed

 

Thanks

That looks like the web auth service handling the health check. You should also have a separate MAC auth servic. 

it fails mac auth because only the phones are supposed to mac auth, but here it is failing the mac auth.

Sorry, I'm not following. So the phone is being MAC authenticated and the laptop is doing 802.1X?

That is correct

What does the expanded output tab of the 802.1X request look like?

That was the first picture I attached.

 

Please export the 802.1X access tracker request and post.

Attached

It appears that the problem stems from the fact that there is no Endpoint information in the input profile of the device. Annoying to me is that I have an instance of CPPM running in QA, configured the same, same version, HP 3800 in QA, same config (CPPM-wise, but pointing at the prod CPPM), and the QA CPPM is getting the Endpoint info that the production CPPM isn't. They are using different radius keys and SNMP strings in QA and prod. Are there any special characters that aren't allowed by CPPM? Or, they are accepted, but cause problems?